kyverno/pkg/engine/mutation.go

package engine

import (
	"strings"
	"time"

	"github.com/golang/glog"
	kyverno "github.com/nirmata/kyverno/pkg/api/kyverno/v1"
	"github.com/nirmata/kyverno/pkg/engine/response"
)

const (
	PodControllers           = "DaemonSet,Deployment,Job,StatefulSet"
	PodControllersAnnotation = "pod-policies.kyverno.io/autogen-controllers"
	PodTemplateAnnotation    = "pod-policies.kyverno.io/autogen-applied"
)

// Mutate performs mutation. Overlay first and then mutation patches
func Mutate(policyContext PolicyContext) (resp response.EngineResponse) {
	startTime := time.Now()
	policy := policyContext.Policy
	resource := policyContext.NewResource
	ctx := policyContext.Context

	// policy information
	func() {
		// set policy information
		resp.PolicyResponse.Policy = policy.Name
		// resource details
		resp.PolicyResponse.Resource.Name = resource.GetName()
		resp.PolicyResponse.Resource.Namespace = resource.GetNamespace()
		resp.PolicyResponse.Resource.Kind = resource.GetKind()
		resp.PolicyResponse.Resource.APIVersion = resource.GetAPIVersion()
	}()
	glog.V(4).Infof("started applying mutation rules of policy %q (%v)", policy.Name, startTime)
	defer func() {
		resp.PolicyResponse.ProcessingTime = time.Since(startTime)
		glog.V(4).Infof("finished applying mutation rules policy %v (%v)", policy.Name, resp.PolicyResponse.ProcessingTime)
		glog.V(4).Infof("Mutation Rules appplied count %v for policy %q", resp.PolicyResponse.RulesAppliedCount, policy.Name)
	}()
	incrementAppliedRuleCount := func() {
		// rules applied succesfully count
		resp.PolicyResponse.RulesAppliedCount++
	}

	patchedResource := policyContext.NewResource

	for _, rule := range policy.Spec.Rules {
		//TODO: to be checked before calling the resources as well
		if !rule.HasMutate() && !strings.Contains(PodControllers, resource.GetKind()) {
			continue
		}

		startTime := time.Now()
		if !matchAdmissionInfo(rule, policyContext.AdmissionInfo) {
			glog.V(3).Infof("rule '%s' cannot be applied on %s/%s/%s, admission permission: %v",
				rule.Name, resource.GetKind(), resource.GetNamespace(), resource.GetName(), policyContext.AdmissionInfo)
			continue
		}
		glog.V(4).Infof("Time: Mutate matchAdmissionInfo %v", time.Since(startTime))

		// check if the resource satisfies the filter conditions defined in the rule
		//TODO: this needs to be extracted, to filter the resource so that we can avoid passing resources that
		// dont statisfy a policy rule resource description
		ok := MatchesResourceDescription(resource, rule)
		if !ok {
			glog.V(4).Infof("resource %s/%s does not satisfy the resource description for the rule ", resource.GetNamespace(), resource.GetName())
			continue
		}
		// Process Overlay
		if rule.Mutation.Overlay != nil {
			var ruleResponse response.RuleResponse
			ruleResponse, patchedResource = processOverlay(ctx, rule, patchedResource)
			if ruleResponse.Success == true && ruleResponse.Patches == nil {
				// overlay pattern does not match the resource conditions
				glog.V(4).Infof(ruleResponse.Message)
				continue
			} else if ruleResponse.Success == true {
				glog.Infof("Mutate overlay in rule '%s' successfully applied on %s/%s/%s", rule.Name, resource.GetKind(), resource.GetNamespace(), resource.GetName())
			}

			resp.PolicyResponse.Rules = append(resp.PolicyResponse.Rules, ruleResponse)
			incrementAppliedRuleCount()
		}

		// Process Patches
		if rule.Mutation.Patches != nil {
			var ruleResponse response.RuleResponse
			ruleResponse, patchedResource = processPatches(rule, patchedResource)
			glog.Infof("Mutate patches in rule '%s' successfully applied on %s/%s/%s", rule.Name, resource.GetKind(), resource.GetNamespace(), resource.GetName())
			resp.PolicyResponse.Rules = append(resp.PolicyResponse.Rules, ruleResponse)
			incrementAppliedRuleCount()
		}

		// insert annotation to podtemplate if resource is pod controller
		if strings.Contains(PodControllers, resource.GetKind()) {
			var ruleResponse response.RuleResponse
			ruleResponse, patchedResource = processOverlay(ctx, podTemplateRule, patchedResource)
			if !ruleResponse.Success {
				glog.Errorf("Failed to insert annotation to podTemplate of %s/%s/%s: %s", resource.GetKind(), resource.GetNamespace(), resource.GetName(), ruleResponse.Message)
				continue
			}

			if ruleResponse.Patches != nil {
				glog.V(2).Infof("Inserted annotation to podTemplate of %s/%s/%s: %s", resource.GetKind(), resource.GetNamespace(), resource.GetName(), ruleResponse.Message)
				resp.PolicyResponse.Rules = append(resp.PolicyResponse.Rules, ruleResponse)
			}
		}
	}
	// send the patched resource
	resp.PatchedResource = patchedResource
	return resp
}

// podTemplateRule mutate pod template with annotation
// pod-policies.kyverno.io/autogen-applied=true
var podTemplateRule = kyverno.Rule{
	Name: "autogen-annotate-podtemplate",
	Mutation: kyverno.Mutation{
		Overlay: map[string]interface{}{
			"spec": map[string]interface{}{
				"template": map[string]interface{}{
					"metadata": map[string]interface{}{
						"annotations": map[string]interface{}{
							"pod-policies.kyverno.io/autogen-applied": "true",
						},
					},
				},
			},
		},
	},
}
Resolve PR 27 2019-05-14 01:17:28 +00:00			`package engine`
Add PolicyEngine 2019-05-10 05:26:22 +00:00
			`import (`
- insert annotation to podTemplate; - skip apply rule on pod if annotation exists 2019-12-26 23:34:19 +00:00			`"strings"`
initial commit 2019-08-19 23:40:10 +00:00			`"time"`
test policy engine on admission requests 2019-08-09 23:55:43 +00:00
introduce info struct for engine responses 2019-06-26 01:16:02 +00:00			`"github.com/golang/glog"`
- insert annotation to podTemplate; - skip apply rule on pod if annotation exists 2019-12-26 23:34:19 +00:00			`kyverno "github.com/nirmata/kyverno/pkg/api/kyverno/v1"`
refactor engine packages for validate & generate 2019-12-12 23:02:59 +00:00			`"github.com/nirmata/kyverno/pkg/engine/response"`
Add PolicyEngine 2019-05-10 05:26:22 +00:00			`)`

- insert annotation to podTemplate; - skip apply rule on pod if annotation exists 2019-12-26 23:34:19 +00:00			`const (`
			`PodControllers = "DaemonSet,Deployment,Job,StatefulSet"`
			`PodControllersAnnotation = "pod-policies.kyverno.io/autogen-controllers"`
			`PodTemplateAnnotation = "pod-policies.kyverno.io/autogen-applied"`
			`)`

Updated code in the project to be compilable with new version of Policy. Moved logic from webhooks/mutation.go to policyengine/mutation.go and server.go 2019-05-13 18:27:47 +00:00			`// Mutate performs mutation. Overlay first and then mutation patches`
refactor engine packages for validate & generate 2019-12-12 23:02:59 +00:00			`func Mutate(policyContext PolicyContext) (resp response.EngineResponse) {`
initial redesign 2019-08-24 01:34:23 +00:00			`startTime := time.Now()`
change engine interface to take policyContext struct 2019-11-09 02:57:27 +00:00			`policy := policyContext.Policy`
skip validation if the resource updates dont violate policy rules (#477) 2019-11-13 21:13:07 +00:00			`resource := policyContext.NewResource`
support variable substitution in overlay mutation 2019-12-13 02:25:54 +00:00			`ctx := policyContext.Context`
change engine interface to take policyContext struct 2019-11-09 02:57:27 +00:00
initial redesign 2019-08-24 01:34:23 +00:00			`// policy information`
			`func() {`
			`// set policy information`
refactor engine packages for validate & generate 2019-12-12 23:02:59 +00:00			`resp.PolicyResponse.Policy = policy.Name`
initial redesign 2019-08-24 01:34:23 +00:00			`// resource details`
refactor engine packages for validate & generate 2019-12-12 23:02:59 +00:00			`resp.PolicyResponse.Resource.Name = resource.GetName()`
			`resp.PolicyResponse.Resource.Namespace = resource.GetNamespace()`
			`resp.PolicyResponse.Resource.Kind = resource.GetKind()`
			`resp.PolicyResponse.Resource.APIVersion = resource.GetAPIVersion()`
initial redesign 2019-08-24 01:34:23 +00:00			`}()`
			`glog.V(4).Infof("started applying mutation rules of policy %q (%v)", policy.Name, startTime)`
			`defer func() {`
refactor engine packages for validate & generate 2019-12-12 23:02:59 +00:00			`resp.PolicyResponse.ProcessingTime = time.Since(startTime)`
			`glog.V(4).Infof("finished applying mutation rules policy %v (%v)", policy.Name, resp.PolicyResponse.ProcessingTime)`
			`glog.V(4).Infof("Mutation Rules appplied count %v for policy %q", resp.PolicyResponse.RulesAppliedCount, policy.Name)`
initial redesign 2019-08-24 01:34:23 +00:00			`}()`
			`incrementAppliedRuleCount := func() {`
			`// rules applied succesfully count`
refactor engine packages for validate & generate 2019-12-12 23:02:59 +00:00			`resp.PolicyResponse.RulesAppliedCount++`
initial redesign 2019-08-24 01:34:23 +00:00			`}`

fix annotation patch in mutate rule 2019-11-14 01:56:56 +00:00			`patchedResource := policyContext.NewResource`
initial redesign 2019-08-24 01:34:23 +00:00
			`for _, rule := range policy.Spec.Rules {`
			`//TODO: to be checked before calling the resources as well`
- insert annotation to podTemplate; - skip apply rule on pod if annotation exists 2019-12-26 23:34:19 +00:00			`if !rule.HasMutate() && !strings.Contains(PodControllers, resource.GetKind()) {`
initial redesign 2019-08-24 01:34:23 +00:00			`continue`
			`}`
change engine interface to take policyContext struct 2019-11-09 02:57:27 +00:00
- add profiling; - fix CLI 2019-11-12 05:23:26 +00:00			`startTime := time.Now()`
change engine interface to take policyContext struct 2019-11-09 02:57:27 +00:00			`if !matchAdmissionInfo(rule, policyContext.AdmissionInfo) {`
fix patches annotation 2019-11-12 02:52:26 +00:00			`glog.V(3).Infof("rule '%s' cannot be applied on %s/%s/%s, admission permission: %v",`
change engine interface to take policyContext struct 2019-11-09 02:57:27 +00:00			`rule.Name, resource.GetKind(), resource.GetNamespace(), resource.GetName(), policyContext.AdmissionInfo)`
			`continue`
			`}`
- add profiling; - fix CLI 2019-11-12 05:23:26 +00:00			`glog.V(4).Infof("Time: Mutate matchAdmissionInfo %v", time.Since(startTime))`
change engine interface to take policyContext struct 2019-11-09 02:57:27 +00:00
initial redesign 2019-08-24 01:34:23 +00:00			`// check if the resource satisfies the filter conditions defined in the rule`
			`//TODO: this needs to be extracted, to filter the resource so that we can avoid passing resources that`
			`// dont statisfy a policy rule resource description`
			`ok := MatchesResourceDescription(resource, rule)`
			`if !ok {`
			`glog.V(4).Infof("resource %s/%s does not satisfy the resource description for the rule ", resource.GetNamespace(), resource.GetName())`
			`continue`
			`}`
			`// Process Overlay`
			`if rule.Mutation.Overlay != nil {`
refactor engine packages for validate & generate 2019-12-12 23:02:59 +00:00			`var ruleResponse response.RuleResponse`
support variable substitution in overlay mutation 2019-12-13 02:25:54 +00:00			`ruleResponse, patchedResource = processOverlay(ctx, rule, patchedResource)`
handle processOverlay with overlayError 2019-11-07 00:16:29 +00:00			`if ruleResponse.Success == true && ruleResponse.Patches == nil {`
initial redesign 2019-08-24 01:34:23 +00:00			`// overlay pattern does not match the resource conditions`
remove overlay failure conditionNotPresent as it allows the tag not present 2019-11-12 05:03:34 +00:00			`glog.V(4).Infof(ruleResponse.Message)`
initial redesign 2019-08-24 01:34:23 +00:00			`continue`
fix annotation patch in mutate rule 2019-11-14 01:56:56 +00:00			`} else if ruleResponse.Success == true {`
			`glog.Infof("Mutate overlay in rule '%s' successfully applied on %s/%s/%s", rule.Name, resource.GetKind(), resource.GetNamespace(), resource.GetName())`
initial redesign 2019-08-24 01:34:23 +00:00			`}`
fix annotation patch in mutate rule 2019-11-14 01:56:56 +00:00
refactor engine packages for validate & generate 2019-12-12 23:02:59 +00:00			`resp.PolicyResponse.Rules = append(resp.PolicyResponse.Rules, ruleResponse)`
initial redesign 2019-08-24 01:34:23 +00:00			`incrementAppliedRuleCount()`
			`}`

			`// Process Patches`
			`if rule.Mutation.Patches != nil {`
refactor engine packages for validate & generate 2019-12-12 23:02:59 +00:00			`var ruleResponse response.RuleResponse`
fix annotation patch in mutate rule 2019-11-14 01:56:56 +00:00			`ruleResponse, patchedResource = processPatches(rule, patchedResource)`
remove overlay failure conditionNotPresent as it allows the tag not present 2019-11-12 05:03:34 +00:00			`glog.Infof("Mutate patches in rule '%s' successfully applied on %s/%s/%s", rule.Name, resource.GetKind(), resource.GetNamespace(), resource.GetName())`
refactor engine packages for validate & generate 2019-12-12 23:02:59 +00:00			`resp.PolicyResponse.Rules = append(resp.PolicyResponse.Rules, ruleResponse)`
initial redesign 2019-08-24 01:34:23 +00:00			`incrementAppliedRuleCount()`
			`}`
- insert annotation to podTemplate; - skip apply rule on pod if annotation exists 2019-12-26 23:34:19 +00:00
			`// insert annotation to podtemplate if resource is pod controller`
			`if strings.Contains(PodControllers, resource.GetKind()) {`
			`var ruleResponse response.RuleResponse`
			`ruleResponse, patchedResource = processOverlay(ctx, podTemplateRule, patchedResource)`
			`if !ruleResponse.Success {`
skip process existing pod if annotation present 2019-12-27 02:41:14 +00:00			`glog.Errorf("Failed to insert annotation to podTemplate of %s/%s/%s: %s", resource.GetKind(), resource.GetNamespace(), resource.GetName(), ruleResponse.Message)`
- insert annotation to podTemplate; - skip apply rule on pod if annotation exists 2019-12-26 23:34:19 +00:00			`continue`
			`}`

skip process existing pod if annotation present 2019-12-27 02:41:14 +00:00			`if ruleResponse.Patches != nil {`
- add =() to volumes; - update error msg 2019-12-27 22:59:12 +00:00			`glog.V(2).Infof("Inserted annotation to podTemplate of %s/%s/%s: %s", resource.GetKind(), resource.GetNamespace(), resource.GetName(), ruleResponse.Message)`
skip process existing pod if annotation present 2019-12-27 02:41:14 +00:00			`resp.PolicyResponse.Rules = append(resp.PolicyResponse.Rules, ruleResponse)`
			`}`
- insert annotation to podTemplate; - skip apply rule on pod if annotation exists 2019-12-26 23:34:19 +00:00			`}`
initial redesign 2019-08-24 01:34:23 +00:00			`}`
			`// send the patched resource`
refactor engine packages for validate & generate 2019-12-12 23:02:59 +00:00			`resp.PatchedResource = patchedResource`
			`return resp`
initial redesign 2019-08-24 01:34:23 +00:00			`}`
- insert annotation to podTemplate; - skip apply rule on pod if annotation exists 2019-12-26 23:34:19 +00:00
			`// podTemplateRule mutate pod template with annotation`
			`// pod-policies.kyverno.io/autogen-applied=true`
			`var podTemplateRule = kyverno.Rule{`
skip process existing pod if annotation present 2019-12-27 02:41:14 +00:00			`Name: "autogen-annotate-podtemplate",`
- insert annotation to podTemplate; - skip apply rule on pod if annotation exists 2019-12-26 23:34:19 +00:00			`Mutation: kyverno.Mutation{`
skip process existing pod if annotation present 2019-12-27 02:41:14 +00:00			`Overlay: map[string]interface{}{`
			`"spec": map[string]interface{}{`
			`"template": map[string]interface{}{`
			`"metadata": map[string]interface{}{`
			`"annotations": map[string]interface{}{`
			`"pod-policies.kyverno.io/autogen-applied": "true",`
			`},`
			`},`
			`},`
			`},`
			`},`
- insert annotation to podTemplate; - skip apply rule on pod if annotation exists 2019-12-26 23:34:19 +00:00			`},`
			`}`